This is called secret key cryptography (SKC) and is different to public key cryptography (PKC) which needs two keys; one to encrypt and one to decrypt.
According to Steven Murdoch, security expert and researcher at University College London, and his encrypted messages to Motherboard, the DES used by the Communications Electronics Security Group (CESG), which is part of the UK Government's Communications Headquarters (GCHQ) uses a DES called "Secure Chorus".
UK government (through GCHQ) are mandating a voice encryption protocol – MIKEY-SAKKE – with a key-escrow backdoor: https://t.co/NT5HKCOe40
— Steven Murdoch (@sjmurdoch) January 19, 2016
Secure Chorus relies on a tool called MIKEY-SAKKE, a centralized service provider that basically gives keys out in exchange for personal information, like an email address.
Murdoch has discovered that Secure Chorus is used by GCHQ's information and security unit, CESG, for the purpose of "protecting official and sensitive communications" and that the organization is committed to "supporting the Secure Chorus standard," suggesting that while the home secretary is calling for a ban on heavily encrypted services, the British government actually has one of its own.
Does the government want to break encryption or not? Government responds, very unclearly: https://t.co/6gQtptBgpw #IPBill
— Open Rights Group (@OpenRightsGroup) January 19, 2016
However, because the keys are handled by MIKEY-SAKKE, they could potentially be accessed by a third party not authorized by the British government to do so.
"In end-to-end encryption, each person generates their own private keys so only they can decrypt conversations. In MIKEY-SAKKE the central network provider generates everyone's private keys so can decrypt all conversations," Steven Murdoch told Motherboard who made the discovery by examining public documents published by GCHQ and the Internet Engineering Task Force (IETF).
However, Murdoch points out that the central network provider using MIKEY-SAKKE to unlock communications is not revealed in the documents. He told Motherboard that "for government communication it would likely be GCQH or an organization controlled by GCHQ.
"For corporate communications, it could be the company itself or it could be delegated, perhaps to GCHQ," Murdoch suggested.
But because the MIKEY-SAKKE keys are stored centrally, they "may be more vulnerable to hacking, intimidation of employees or insider abuse, as well as allowing less oversight," security expert Murdoch suggests in previous analysis published on Benthams Gaze, a blog written by information security researchers.
The blog states: "The MIKEY-SAKKE protocol is being promoted by the UK government as a better way to secure phone calls.
"The reality is that MIKEY-SAKKE is designed to offer minimal security while allowing undetectable mass surveillance, through the introduction a backdoor based around mandatory key-escrow. This weakness has implications which go further than just the security of phone calls."
A CESG spokesperson told Motherboard that:
"We do not recognize the claims made in this paper. The MIKEY-SAKKE protocol enables development of secure, scalable, enterprise grade products."
A UK government response to a petition calling for the home secretary to abandon all ideas of banning strong encryption states: "Clearly as technology evolves at an ever increasing rate, it is only right that we make sure we keep up, to keep our citizens safe.
"There shouldn't be a guaranteed safe space for terrorists, criminals and paedophiles to operate beyond the reach of law.
"The Investigatory Powers Bill will not ban or further limit encryption," the statement concludes.
As to who handles the MIKEY-SAKKE keys to unlock encrypted information on behalf of GCHQ, remains unknown to the public.
